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1. A single-pass packet processor for processing received packets comprising 
a stateless segment comprising at least one pipelined plurality of stateless 

functional modules, each of said stateless functional modules performing stateless 
processing of received packets, and 
5 a stateful segment comprising at least one pipelined plurality of stateful functional 

modules, each of said stateful functional modules performing stateful processing of 
packets that have been processed by at least one of said stateless functional units. 

2. The single-pass packet processor of claim 1 further comprising a plurality of 
communications ports for sending and receiving packets. 

3. The single-pass packet processor of claim 1 wherein said plurality of stateless 
functional modules comprises at least one stateless L2 ingress module for mapping an IP 
address of a received packet to at a corresponding L2 address. 

4. The single-pass packet processor of claim 2 wherein said at least one stateless L2 
ingress module performs L2 decapsulation of a received packet to derive an IP packet 
that is made available to at least one other of said stateless or stateful functional modules. 

5. The single-pass packet processor of claim 4 wherein said plurality of stateless 
functional modules comprises at least one stateless L3 ingress module, said L3 ingress 
module comprising 

5 means for checking the IP header of said IP packet for anomalies, 

means for performing IP checksum verification on said IP packet, 
means for storing a list of IP addresses associated with said single-pass packet 
processor, and 

means for determining, based on said IP header and said list of IP addresses, 
10 whether the examined packet is to be retained at said packet processor or routed to 
another destination. 

6. The single-pass packet processor of claim 5 further comprising 



19 



Ranch 5 

means for determining whether a received packet is to be routed at the L3 layer or 
switched at the L4 layer when a determination has been made that said received packet is 
5 to be forwarded to another destination, and 

means for routing said packet to said another destination if forwarding is enabled 
for said packet. 

7. The single-pass packet processor of claim 6 further comprising 
means for passing said packet to another functional module in said pipeline when 

said packet is to be switched at the L4 layer. 

8. The single-pass packet processor of claim 7 further comprising at least one 
stateless firewall module, said stateless firewall module comprising 

means for storing firewall rules, each of which comprises a classification and an 
action, said classification for each packet received at said stateless firewall module being 
based on selected L3/L4 information in said received packet, and 

means for taking an action with respect to each said received packet in accordance 
with said selected L3/L4 information, said action being selected from the group of actions 
comprising accept, deny, forward packet to an external host, and copying said packet to 
an external host. 

9. The single-pass packet processor of claim 7 further comprising at least one 
stateless bandwidth classifier module, said stateless bandwidth module comprising 

means for storing contract information associated with received packet flows, said 
5 contract information optionally including information relating to a plurality of 
subcontracts included under a contract, 

means for comparing stored contract information with L3 and L4 information in a 
packet received at said stateless bandwidth module, and 

means for entering contract information applicable to a received packet associated 
10 with an identified packet flow in a flow record tagged to said received packet. 
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10. The single-pass packet processor of claim 8 wherein said stateful segment 
comprises at least one stateful firewall module for receiving packets from said stateless 
segment, said stateful firewall module comprising means for protecting against L4 denial 
of service attacks. 

11. The single-pass packet processor of claim 10 wherein said stateful firewall 
module further comprises 

means for switching packets between pairs of identified TCP connections or UDP 
streams. 

12. The single-pass packet processor of claim 11 wherein said stateful segment 
further comprises 

an L4 switching module, said L4 switching module cooperating with said firewall 
module in providing L4 switching of packets, said cooperating comprising identifying 
pairs of TCP connections or UDP streams to be switched. 

13. The single-pass packet processor of claim 12 wherein said L4 switching module 
further comprises 

means for switching received packets to a plurality of servers, and 
means for balancing said traffic switched to said plurality of servers to provide a 
fair share of said traffic to each of said plurality of servers. 

14. The single-pass packet processor of claim 10 wherein said stateful segment 
further comprises 

a bandwidth enforcer module comprising 

means for receiving from said stateless segment packets and respective associated 
tagged flow records containing contract information applicable to each received packet, 
and 

means for determining if a received packet is to be transmitted depending on 
existing traffic patterns at said single-pass packet processor and on contract information 
tagged to said packet received at said bandwidth enforcer module. 
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15. The single-pass packet processor of claim 14 wherein said contract information 
tagged to said packet received at said bandwidth enforcer module includes Min, Burst 
and Max values for each contract or subcontract associated with a dataflow related to said 
packet received at said bandwidth enforcer module. 

16. The single-pass packet processor of claim 15 wherein said bandwidth enforcer 
module further comprises 

means for determining bandwidth currently committed to each dataflow subject to 
received contract or subcontract information, 

means for dropping a received packet from a given dataflow when bandwidth 
currently committed said given dataflow exceeds the Max value for said dataflow. 

17. The single-pass packet processor of claim 16 wherein said bandwidth enforcer 
module further comprises 

means for forwarding with higher priority a received packet from a first dataflow 
when bandwidth currently committed to said first dataflow is at a level between the Min 
value and the Burst value for said first dataflow, and 

means for forwarding with lower priority a received packet from a second 
dataflow when bandwidth currently committed to said second dataflow is at a level 
between the Burst and Max values for said second dataflow. 

18. The single-pass packet processor of claim 17 wherein said bandwidth enforcer 
module further comprises 

means for sharing available bandwidth allotments between flows associated with 
subcontracts subordinate to a common contract. 

19. The single-pass packet processor of claim 14 wherein said stateful segment 
further includes a L2/L3 egress module comprising 

means for determining the next hop destination address for each packet to be 
transmitted. 
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20. The single-pass packet processor of claim 19 wherein said L2/L3 egress module 
further comprises 

means for encapsulating said address data into an IP header, 
5 means for deriving checksum information based on available TCP/UDP data and said IP 
header, 

means for encapsulating the packet content, said checksum information and said 
IP header in an L2 header for transmission. 

21. The single-pass packet processor of claim 1 wherein at least one of said stateless 
functional modules in at least one of said pipelined plurality of stateless functional 
modules is implemented as an application specific integrated circuit. 

22. The single-pass packet processor of claim 1 wherein at least one of said stateless 
functional modules in at least one of said pipelined plurality of stateless functional 
modules is implemented as a field programmable gate array. 

23. The single-pass packet processor of claim 1 wherein at least one of said stateful 
functional modules in at least one pipelined plurality of stateful functional modules is 
implemented as a programmed processor. 

24. The single-pass packet processor of claim 1 wherein at least one of said stateful 
functional modules in at least one pipelined plurality of stateful functional modules is 
implemented as a programmed network processor. 

25. The single-pass packet processor of claim 1 wherein at least one of said stateful 
pipelined plurality of stateful functional modules is selectively enabled by control signals 
applied to said single-pass packet processor. 
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26. The single-pass packet processor of claim 25 wherein at least one of said stateful 
pipelined plurality of stateful functional modules is implemented as a coded module 
executed by said programmed network processor. 

27. The single-pass packet processor of claim 1 wherein at least one of said stateless 
pipelined plurality of stateless functional modules is selectively enabled by control 
signals applied to said single-pass packet processor. 
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